Mobile IP Working Group V. Gupta INTERNET DRAFT SUN Microsystems S. Glass FTP Software March 17, 1997 Firewall Traversal for Mobile IP: Guidelines for Firewalls and Mobile IP entities draft-ietf-mobileip-firewall-trav-00.txt Status of this Memo This document is a submission by the Mobile IP Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mobile-ip@SmallWorks.COM mailing list. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Abstract The use of network security mechanisms such as ingress filtering, firewall systems and private address spaces can disrupt normal operation of Mobile IP [GuGl97]. This document outlines behavioral guidelines for Mobile Nodes, their Home Agents and intervening Firewalls. Compliance with these guidelines allows secure datagram exchange between a mobile node and its home agent even across firewalls, ingress filtering routers and distinct address spaces. To its correspondent nodes, the mobile node appears to be connected to its home network even while roaming on the general Internet. It enjoys the same connectivity (modulo performance penalities) and, if Gupta & Glass Expires September 17, 1997 [Page 1] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 desired, privacy outside its protected domain as on the inside. The guidelines described here solve a restricted, but still useful, variant of the general firewall traversal problem for Mobile IP. They make the following assumptions: (a) All intervening firewalls belong to the mobile node's protected home domain and their existence and relative placement, with respect to a mobile node's current location, is known a priori. (b) Mobile nodes use co-located care-of addresses (rather than Foreign Agents) when outside their protected home domain. (c) Firewalls implement standard protocols for authentication and encryption [RFCs 1825, 1826, 1827] but need not understand Mobile IP message formats. (d) When private addresses are used inside a Mobile node's home domain, the home agent is able to distinguish between private and public addresses. 1. Introduction The IETF Mobile IP protocol [Per96a] allows a mobile node (MN) to continue sending and receiving IP datagrams using a fixed address, its home address, even when it is no longer connected to its home subnet. When a mobile node visits a foreign subnet, it obtains a care-of address on that network and registers that address with its home agent (HA), a special entity residing on its home subnet. The home agent, in turn, intercepts datagrams meant for the mobile node and tunnels them to the registered care-of address. Tunneling refers to the process of enclosing the original datagram, as data, inside another datagram with a new IP header [Per96b, Per96c]. The new header carries the mobile node's care-of address in the destination field. The care-of address may belong to a specially designated node -- the foreign agent (FA) -- or may be a temporary address assigned to one of the interfaces of the mobile node, e.g. through DHCP or PPP. In the latter case, the mobile node is said to have a co-located care-of address. This mode of operation obviates the need for explicit mobility support, in the form of an FA, on the foreign subnet, though local policy may still require a mobile node to register through an FA. The recipient of a tunneled packet recovers the original datagram before processing it further. Mobile IP assumes that routing of unicast traffic is based solely on the destination address. Many Internet routers now include other considerations in their forwarding decision, e.g. in an effort to guard against IP-spoofing attacks, source-filtering routers drop datagrams that arrive on an interface inconsistent with their source address [CA9621]. Such a router, if present on the foreign network, will block all datagrams generated by a visiting mobile node carrying its home address as source. A solution to this problem is to use a reverse tunnel directed from the mobile node's care-of address to its home agent [Mont97]. Under this arrangement, datagrams sent from MN Gupta & Glass Expires September 17, 1997 [Page 2] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 to a correspondent node (CN) now carry the care-of address (rather than the home address) as source in the outermost IP header and pass unchallenged through source-filtering routers to the mobile node's home agent. The home agent strips the outer IP header and recovers the original packet. From then on, the packet is forwarded as if the mobile node were on its home subnet. Additionally, many organizations use firewalls to protect their networks from the general Internet. These firewalls impose additional constraints, e.g. they may drop unsolicited datagrams from untrusted external hosts [ChZw95]. Such a policy is enforced by carefully screening the source and destination addresses, as well as ports, on all transport level packets. For TCP packets, the firewall may also monitor the ACK bit. In this situation, a mobile node's registration requests are likely to be dropped by a firewall protecting its home network. Note that source-filtering is not an issue here because registration requests arrive with a topologically correct source address - namely the current care-of address of the mobile node. To complicate matters, organizations often hide the topology of their internal network by using private addresses. These addresses are not advertised to the general Internet. Such addresses include, but are not restricted to, those defined in RFC 1918. The Internet's routing fabric is unable to route packets to these addresses (resulting in ICMP unreachables). To allow connections from the internal network to the general Internet, application relays (also called application gateways or proxies) are used. In a typical configuration, the internal network is separated from the general Internet by a "perimeter network" on which the firewall and proxies are located [ChZw95] (see Figure 1). Hosts on the peripheral network use public addresses, i.e. their addresses are advertised to the general Internet. When a host on the internal network wishes to connect to the Internet, two separate connections are set up: one between the internal host and the proxy and another between the proxy and the outside host. To the external host, the user at the other end appears to be on the proxy host. Gupta & Glass Expires September 17, 1997 [Page 3] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 I N T Firewall w/ [FW] E application +---+ +------[R1]----------- R proxies | | | Exterior/ N | | | Access E +-+-+ | Router T** | | ----+--------+------------+-- | Perimeter Network** Interior/ | Choke [R2] Router | | * = Uses Private Addresses Internal Network* ** = Uses Public Addresses Figure 1: Screened-subnet firewall architecture. The use of private addresses on firewall-protected networks poses an additional challenge. A mobile node belonging to such a network can not use its home address (a private address) to communicate directly with correspondent nodes when it is outside the protected domain since replies from correspondent nodes to the private address will likely generate a "host unreachable" ICMP message. If, somehow, a reverse tunnel can be established from the mobile node to its home agent, the mobile node can continue using its private home address. Datagrams generated by the mobile node using its home address will appear to emerge from its home network and connections to external hosts will still involve an intermediate proxy. The presence of intermediate firewall(s) disrupts free flow of packets from a mobile node on the outside to its home agent on the inside. In its current form, this draft provides a conceptual framework for achieving the required connectivity by mutual cooperation between mobile nodes, their home agents and intervening firewalls. As proposed IPSEC standards stabilize, later revisions will incorporate greater details, e.g. message formats required to establish dynamic security associations. 2. Solution Overview In a security-conscious environment, there are two main obstacles preventing free flow of datagrams between a mobile node and its home agent. Both can be countered as described below: Gupta & Glass Expires September 17, 1997 [Page 4] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 (1) Firewalls: Their main purpose is enforcing controlled access to the internal network. Firewalls can use IPSEC authentication to establish the true identity of a datagram source. Their security policy can be appropriately configured such that packets between an authenticated mobile node and its home agent are allowed to pass. Additionally, IPSEC encryption can be used between the outermost (perimeter) firewall and the mobile node to keep untrusted hosts, outside the protected domain, from prying on a mobile node's traffic. (2) Ingress Filtering/private address spaces: We group these together because both mechanisms are implemented by filtering routers. These routers do not forward any datagram in which either: (i) The source address is inconsistent with the interface that the datagram arrives on, i.e. the source is topologically incorrect. Note that an unknown source addresses can be thought of as always being topologically incorrect. (ii) The destination address is unknown. These routers can be countered by using (possibly multiple levels of) tunneling such that on the outermost IP header both the source and destination addresses are known to the router and the source address is topologically correct. There are only two kinds of datagrams that need to pass back and forth through these obstacles: Gupta & Glass Expires September 17, 1997 [Page 5] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 (a) Datagrams directed from a mobile node to its home agent which include registration requests and reverse tunneled traffic. In either case, the (outermost) IP header contains the mobile node's care-of address (COA) as source and the home agent's address (HA) as destination. HA MN (Inside) (Outside) <------------- +--------+--------+--------------+ | s=COA | UDP | Registration | | d=HA | header | request | +--------+--------+--------------+ +-------+----------------+-------------+ | s=COA | s=MN home addr | Upper layer | | d=HA | d=CN | protocol | +-------+----------------+-------------+ For the rest of this article we represent both of these as follows and refer to it as an "inbound" packet. <-------- +-------+---------+ | s=COA | MIP | s: IP source | d=HA | payload | d: IP destination +-------+---------+ Figure 1: Inbound packet Gupta & Glass Expires September 17, 1997 [Page 6] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 (b) Datagrams directed from a home agent to a mobile node which include registration replies and (forward) tunneled traffic. In either case, the (outermost) IP header contains the home agent's address as source and the mobile node's care-of address as destination. HA MN (Inside) (Outside) -------------> +--------------+--------+-------+ | Registration | UDP | s=HA | | reply | header | d=COA | +--------------+--------+-------+ +-------------+----------------+-------+ | Upper layer | s=CN | s=HA | | protocol | d=MN home addr | d=COA | +-------------+----------------+-------+ For the rest of this article we represent both of these as follows and refer to it as an "outbound" packet. --------> +---------+-------+ | MIP | s=HA | | payload | d=COA | +---------+-------+ Figure 2: Outbound packet 2.1 Assumptions Our solution is based on the following assumptions: (a) A mobile node can deduce its current location and the sequence of firewalls that must be traversed to reach the home agent. The exact mechanism for doing so is unspecified and will primarily be decided by the local (home) security policy. It may be based on manual pre-configuration, user input or a separate dynamic firewall-discovery protocol. Such a discovery protocol is beyond the scope of this document. For the rest of this article we label the intervening firewalls FW1, FW2, ..FWn. Here, FW1 is the perimeter firewall guarding the home domain from the Internet. Gupta & Glass Expires September 17, 1997 [Page 7] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 Protected Domain | Internet (Inside) | (Outside) | HA | MN | | ---+---[FWn]-- ... --[FW2]--[FW1]--[R']-- ... --[R]--+-- Home network | | | Figure 3: Security framework addressed by this document. (b) All firewalls are IPSEC-aware and able to establish security associations between themselves. (c) FW1 is the only firewall whose address is advertised on the general Internet, i.e. routers such as R and R' can route packets to FW1 but are not aware of the addresses used internally by FW2, ... FWn. In contrast, routers on the inside are able to route packets for FW1 through FWn but are unaware of any addresses used on the outside Internet. (d) Any number of routers may exist between the MN (outside the home domain), and HA (inside the home domain), any or all of which implement source filtering, i.e. they drop packets on which the source address is either unknown or inconsistent with the interface on which the datagram is received. All routers drop packets meant for unknown destinations. (e) The Mobile Node is IPSEC aware and can acquire an appropriate security association with each firewall such that packets authenticated with that association are allowed to pass through. This acquisition may either be based on manual configuration or a key management and distribution protocol [MSST96, Orma96]. (f) When MN is outside the protected domain, there are no firewalls between it and FW1. (g) Nodes within the protected domain trust each other, so, for example, there is no need to encrypt a mobile node's traffic on network links inside the protected domain. Note that procedures defined in this document do not preclude end-to-end or other forms of such encryption, should they be required by an organization's security policy. (h) A home agent belonging to the protected domain is able to distinguish between addresses belonging to the protected domain Gupta & Glass Expires September 17, 1997 [Page 8] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 and those on the outside. Manual configuration is one option (e.g. one could supply a list of "internal addresses" and all others will be treated as "external). It is also possible to introduce a new MN-HA extension in registration requests that identifies the care-of address as being "external". This essentially transfers the burden of identification from the HA to the MN which may be justified since the latter can consult the user if needed. Note that assumptions (c) and (d) represent additional constraints accommodated by our solution rather than solution requirements. 3. Inbound Datagram Processing On realizing that it is outside its protected domain, a mobile node first establishes a security association with the perimeter firewall. IPSEC compliant key management protocols must allow separation between an entity's true identity and its current IP address. This distinction is crucial for a mobile node when it must send a packet with its current care-of address past a firewall. If necessary, this exchange may have to be repeated for each of the other firewalls in sequence. To send an "inbound" packet to its home agent, the mobile node prepends a tunnel mode authentication header for each firewall starting with FWn. In addition, transport mode encryption may (optionally) be inserted before prepending the authentication header corresponding to FW1. If both authentication and encryption are desired between the mobile node and FW1, the mobile node may choose a single ESP transform that accommodates both. <---------- +-------+---------+-------+-----+...+------+-----+-------+---------+ | s=COA | AH1+ESP | s=COA | AH2 | |s=COA | AHn | s=COA | MIP | | d=FW1 | or ESP' | d=FW2 | | |d=FWn | | d=HA | payload | +-------+---------+-------+-----+...+------+-----+-------+---------+ Figure 4: An "inbound" packet as it leaves the mobile node. The security policy on each firewall should be configured to processes packets as follows: (a) Look for an authentication header in the datagram (drop packet if there isn't one) and look up the security association referenced by the included Security Parameter Index [RFC1825, 1826]. (b) Verify the authenticator (drop packet if authentication fails). Gupta & Glass Expires September 17, 1997 [Page 9] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 (c) Decrypt packet if ESP is present to recover a new datagram. Note that steps (b) and (c) may need to be performed multiple times if there are nested security headers for the same destination. This process will eventually yield a datagram to be forwarded beyond this firewall. (d) If the last exposed datagram is likely to be dropped by filtering routers before reaching its destination (e.g. because the source address is unknown), then tunnel the packet of item (c) to the next destination. Either a tunnel-mode IP Authentication Header or plain IPinIP may be used since both are able to hide the unknown source address (COA) from internal routers. Actions (a)-(c) do not place any additional burden on IPSEC compliant hosts. Action (d) is required only if the protected domain uses private addresses and internal routers are configured to drop packets in which the source or destination address is unknown or the source is inconsistent with the interface on which the packet arrives. Even so, action (d) may not be required at all firewalls, e.g. FWn can skip this step if there are no filtering routers between FWn and HA. As a result of these actions, the "inbound" datagram datagram looks as follows as it travels towards the home agent. <---------- +-------+-----+-------+-----+- .. -+------+-----+-------+---------+ | s=FW1 | AH' | s=COA | AH2 | |s=COA | AHn | s=COA | MIP | | d=FW2 | | d=FW2 | | |d=FWn | | d=HA | payload | +-------+-----+-------+-----+- .. -+------+-----+-------+---------+ Figure 5: "Inbound" packet on its way from FW1 to FW2. <---------- +-------+------+-------+-----+- .. -+------+-----+-------+---------+ | s=FW2 | AH'' | s=COA | AH3 | |s=COA | AHn | s=COA | MIP | | d=FW3 | | d=FW3 | | |d=FWn | | d=HA | payload | +-------+------+-------+-----+- .. -+------+-----+-------+---------+ Figure 6: "Inbound" packet on its way from FW2 to FW3. <---------- +-------+----+-------+---------+ | s=FWn | AH | s=COA | MIP | | d=HA | | d=HA | payload | +-------+----+-------+---------+ Figure 7: "Inbound" packet on its way from FWn to HA. Gupta & Glass Expires September 17, 1997 [Page 10] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 The home agent recovers the original "inbound" packet (Figure 1) and processes it as under normal Mobile IP (in the presence of reverse tunneling [Mont97]). Note that depending on the kind of tunneling used in step (d) and the placement of filtering routers, HA may need to be IPSEC aware. 4. Outbound Datagram Processing Since hosts inside the protected domain are trusted, non-perimeter firewalls like FW2, ..., FWn may be configured to allow outgoing packets to pass without any authentication. In this situation, outbound datagram processing is quite simple. The home agent creates an outbound packet as part of normal Mobile IP operation. If the destination is recognized as being outside the protected domain, the packet is explicitly directed at the perimeter firewall FW1 either by using IPinIP tunneling or a tunnel mode Authentication header. The former requires that FW1 be able to decapsulate IPinIP datagrams while the latter requires HA to be IPSEC aware. The resulting packet is shown in Figure 8. ----------> +---------+-------+-----+-------+ | MIP | s=HA | AH' | s=HA | | payload | d=COA | | d=FW1 | +---------+-------+-----+-------+ Figure 8: Outbound packet as it leaves HA (the authentication header may not be needed). Once this packet reaches the perimeter firewall FW1 successfully, the original "outbound" datagram is recovered (either after IPSEC processing or IPinIP decapsulation). The security policy on FW1 must be configured as follows: If a packet is to be forwarded to a destination for which a security association exists, appropriate IPSEC headers must be added before forwarding. As a result of this policy, the "outbound" packet looks as shown in Figure 9 as it leaves FW1 for the mobile node. Gupta & Glass Expires September 17, 1997 [Page 11] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 ----------> +---------+-------+-----+----+-------+ | MIP | s=HA | ESP | AH | s=FW1 | | payload | d=COA | | | d=COA | +---------+-------+-----+----+-------+ Figure 9: "Outbound" packet on its way from FW1 to MN. Intermediate routers such as R' and R'' see a topologically correct source address and a routable (known) destination address. Once the packet reaches the mobile node, the original "outbound" datagram is recovered after IPSEC processing and processed as with normal Mobile IP. If FW2, ... FWn require source authentication even on outgoing packets the process by which the outbound datagram reaches FW1 is no longer as simple. In this situation the overall processing is similar to that described for inbound datagrams but in the reverse direction. ----------> +---------+-------+-----+-------+-----+-------+- .. -+-----+-------+ | MIP | s=HA | AH1 | s=HA | AH2 | s=HA | | AHn | s=HA | | payload | d=COA | | d=FW1 | | d=FW2 | | | d=FWn | +---------+-------+-----+-------+-----+-------+- .. -+-----+-------+ Figure 10: An "outbound" packet as it leaves HA. +---------+-------+-----+-------+-----+-------+ | MIP | s=HA | AH1 | s=HA | AH2 | s=HA | | payload | d=COA | | d=FW1 | | d=FW2 | +---------+-------+-----+-------+-----+-------+ Figure 11: An "outbound" packet on its way from FW3 to FW2. +---------+-------+-----+-------+ | MIP | s=HA | AH1 | s=HA | | payload | d=COA | | d=FW1 | +---------+-------+-----+-------+ Figure 12: An "outbound" packet on its way from FW2 to FW1. Note that intermediate firewalls do not need to prepend additional headers before forwarding an outbound packet because already the outermost source and destination are known to internal routers and the source is topologically correct. Gupta & Glass Expires September 17, 1997 [Page 12] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 5. Closing Remarks The mechanism outlined here allows Mobile IP operation even when a mobile node roams outside its firewall-protected domain. This functionality is achieved at the cost of introducing sub-optimal "quadrangle" routing and additional header overhead. The amount of header overhead depends on the number of intervening firewalls. In most cases just a single firewall must be traversed. Preliminary experiments on a SKIP-based implementation [MoGu96] suggest that the performance penalty due to IPSEC processing and additional headers on sustained throughput is roughly ten percent. Bursty traffic rates can show significant variance because the use of Mobile IP and IPSEC tunnels delays Path MTU discovery. Several packets may need to be sent before the sender's path MTU estimate becomes small enough to account for all intermediate tunnels, e.g. one ftp transfer of a 0.5 MB file attained a transfer rate of 7KB/s but after the path MTU had been cached at the sender, the same file was transferred at a rate of 270 KB/s. 6. Security Considerations This entire document discusses security considerations for mobile nodes. Using the procedure outlined in this document, datagrams between a mobile node and its home agent can pass freely through firewalls protecting its home domain. In this situation, the mobile node acts as an extension of the security perimeter surrounding its home domain and must, therefore, share in the responsibility of protecting it from outsiders. In the absence of user-specific keying information, someone who steals the mobile node may also gain access to the home network. Acknowledgments This document builds upon ideas previously introduced in [MoGu96] and discussions at the "Secure firewall Traversal for Mobile IP" special meeting held during the 37th IETF meeting. References [CA9621] CERT Advisory CA-96.21, "TCP SYN Flooding and IP Spoofing Attacks", available at ftp://info.cert.org/pub/ cert_advisories/CA-96.21.tcp_syn_flooding. [ChZw95] D. B. Chapman and E. Zwicky, "Building Internet Firewalls", O'Reilly & Associates, Inc., Sept. 1995. [GuGl97] V. Gupta and S. Glass, "Firewall traversal for Mobile IP: Goals and Requirements". Draft -- work in progress, January 1997. [LGLK96] M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas and L. Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996. [Leec96] M. Leech, "Username/Password Authentication for SOCKS V5", RFC 1929, March 1996. [MSST96] D. Maughan, M. Schertler, M. Schneider and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", version 7, Draft -- work in progress. Gupta & Glass Expires September 17, 1997 [Page 13] INTERNET DRAFT Firewall Traversal for Mobile IP March 1997 [McMa96] P. McMahon, "GSS-API Authentication Method for SOCKS Version 5", RFC 1961, June 1996. [Mont97] G. Montenegro, "Bi-directional Tunneling for Mobile IP", Draft -- work in progress, Feb. 1997. [MoGu96] G. Montenegro and V. Gupta, "Firewall Support for Mobile IP". Draft , work in progress, Sept. 1996. [Orma96] H. Orman, "The Oakley Key Determination Protocol", version 1, Draft -- work in progress. [Per96a] C. Perkins, "IP Mobility Support", RFC 2002. [Per96b] C. Perkins, "IP Encapsulation within IP", RFC 2003. [Per96c] C. Perkins, "Minimal Encapsulation within IP", RFC 2004. Author's Address Vipul Gupta Sun Microsystems, Inc. 2550 Garcia Avenue Mailstop UMPK 15-214 Mountain View, CA 94043-1100 Tel: (415) 786 3614 Fax: (415) 786 6445 EMail: vipul.gupta@eng.sun.com Steven M. Glass FTP Software 2 High Street North Andover, MA 01949 Tel: (508) 685 4000 Fax: (508) 684 6105 EMail: glass@ftp.com Gupta & Glass Expires September 17, 1997 [Page 14]